Chamilo LMS has a great track record for fixing reported security issues, working together with security actors, publishing fixes prior to the official publication of the vulnerabilities on official sites.

So far, in the history of the project (since late 2009), all (but one) vulnerabilities have been fixed less than 120h (5 days) after they were reported to us, and the process of code revision by packagers before inclusion (no unchecked plugin) has always been followed, making it the most secure open source e-learning platform to date.

If you have found a new security flaw in Chamilo, please send us an e-mail at security@chamilo.org and info@chamilo.org, including "Chamilo Vulnerability" in your topic line. We will respond quickly to these (usually within 24h), so if you don't receive an answer, please consider it might not have been received and send it again.In the worst case, open an issue in this issues tracking system to call for our attention, but please do not publish the flaw until a patch has been developed.

we will then prepare (and publish below) a full report and the corresponding patch to secure your platform. We will also provide the patch in the form of a zip to unzip into your Chamilo directory for the latest stable version

if you don't use the latest version, you will have to upgrade first or apply the patch by yourself in your version

Chamilo LMS version 1.11.8 contains an SQL injection, allowing users with access to the sessions catalogue (which may optionally be made public) to extract and/or modify database information. We recommend any administrator using sessions and having enabled the sessions catalogue to apply the patch ASAP.

These security patches will be part of any future 1.11.* version and versions 2.0 and up. There is no guarantee a new 1.11.* version will be published in the future, so this patch should be applied manually.

Chamilo LMS version 1.11.8 contains two XSS vulnerabilities, one in the gradebook dependencies tool and one in the social groups tool, allowing authenticated users to affect other users, under specific conditions of permissions granted by administrators. This is considered "low risk" due to the nature of the feature it exploits. Also, some paths disclosure appeared in the case of a platform configured as "test" platform and showing PHP notice and warning messages on screen (which is not recommended).

These security patches will be part of any future 1.11.* version and versions 2.0 and up. There is no guarantee a new 1.11.* version will be published in the future, so this patch should be applied manually.

Chamilo LMS version 1.11.8 contains several vulnerabilities of different levels of risk and criticality.

Two SQL injection issues require admin access, so although very high-damage vulnerabilities, we lowered the risk because they require very specific access to administration pages.Several reflexted XSS vulnerabilities have been reported in a mix of admin and public pages, so we raised the risk to moderate.One stored XSS vulnerability was found on a course description page that requires user access to the specific course (low risk).

We thank Zekvan Arslan and the Netsparker Web Application Security Scanner team for their work finding and reporting these issues. A first advisory was sent to the wrong e-mail in July but we only caught it in November. A special thank to the Netsparker team for finding the right channels and being persistent on that one. We couldn't have made this safe report without you.

This security patch will be part of any future 1.11.* version and versions 2.0 and up. There is no guarantee a new 1.11.* version will be published in the future, so this patch should be applied manually.

Chamilo LMS version 1.11.8 contains an additional series of XSS vulnerabilities in the agenda tool, allowing authenticated users to affect other users (sharing the same agenda events). This is considered "low risk" because, due to the nature of the feature it exploits, it is either necessary to be a teacher in a course or to be a student that was explicitly allowed by a teacher to edit agenda events. As such, the existence of the issue would only (in theory) affect open platforms or platforms with malicious (and security-skilled) teachers.

These security patches will be part of any future 1.11.* version and versions 2.0 and up. There is no guarantee a new 1.11.* version will be published in the future, so this patch should be applied manually.

Chamilo LMS version 1.11.8 contains an XSS vulnerability in the user registration form.This represents a "moderate" risk because it is only available to open portals (Chamilo portals that allow registration by anyone). However, on these portals, it might have serious implications for administrators checking the users list on the administration page. As such, we urge all admins or open portals to update their Chamilo 1.11.8 portals with the patch provided below (a one-liner easily applied by hand).

While we thank the author ("Cakes") for reporting this issue, we disapprove of the immediate publication. Our politic is to provide a patch under 72h of being notified, as far as humanly possible. We received no notification before this went public. Contact details are available in the first section of this page.Also, while reporting it in "white hat" mode, "Cakes" also tested it on a live public portal, which is not really what we would expect where the report indicates it was tested on a different IP address.Despite these 2 latest detected vulnerabilities, we believe (based on security reports of competitors) Chamilo remains the safest LMS around.

This security patch will be part of any future 1.11.* version and versions 2.0 and up. There is no guarantee a new 1.11.* version will be published in the future, so this patch should be applied manually.

Chamilo LMS version 1.11.8 contains an XSS vulnerability in the agenda tool, allowing authenticated users to affect other users (sharing the same agenda events). This is considered "low risk" because, due to the nature of the feature it exploits, it is either necessary to be a teacher in a course or to be a student that was explicitly allowed by a teacher to edit agenda events. As such, the existence of the issue would only (in theory) affect open platforms or platforms with malicious (and security-skilled) teachers.

While we thank the author ("Cakes") for reporting this issue, we disapprove of the immediate publication. Our politic is to provide a patch under 72h of being notified, as far as humanly possible. We received no notification before this went public. Contact details are available in the first section of this page.

This security patch will be part of any future 1.11.* version and versions 2.0 and up. There is no guarantee a new 1.11.* version will be published in the future, so this patch should be applied manually.

Chamilo LMS version 1.11.x contains an unserialization vulnerability in a POST parameter that can result in Unauthenticated remote code execution. This attack is only exploitable by users with access to the course maintenance tool (teachers and admins), reason for which we reduced the risk to Moderate.

Chamilo LMS version 11.x contains an Unserialization vulnerability in the "hash" GET parameter for the api endpoint located at /webservices/api/v2.php that can result in Unauthenticated remote code execution. This attack appear to be exploitable via a simple GET request to the api endpoint. This vulnerability appears to have been fixed in After commit 0de84700648f098c1fbf6b807dee28ec640efe62. CVE-2018-1999019 has been assigned to this issue.

A flaw in the logic of the "Who is online" page made it possible for unauthenticated users to get a list of names and pictures of the users currently online on the Chamilo portal. We consider it a moderate risk as it is available to the public but only through using specific URLs not directly visible to the public, and because it only makes names and pictures available (no other private information) and only for users connected now or in the past few minutes.

This affects versions 1.11 of Chamilo and possibly previous versions.

This was kindly mentioned by Jurjen de Jonge of HVA.nl on 23/5/2018 but only received by us (due to e-mail issues on our side) on the 31/5/2018. A fix was provided a few hours after finally receiving the report. The fix removes the information if the option "see connected users from the portal homepage" has been disabled. By default, this option is enabled in Chamilo, so for security reasons, we recommend admins to disable it when installing their portal.

A flaw in the logic of the assignments tool in Chamilo made it possible for registered users to access the assignments provided by all other users in the same course.

This affects versions 1.11 of Chamilo (and probably previous versions), but you need a user account, to have access to a course and that the assignments tool be enabled in order to abuse this flaw. If all these conditions are combined, you could effectively download assignments from all other students even if you configured that assignments are not shared.

This was kindly reported by Jan Derriks of HVA.nl on the 9/4/2018. A fix for 1.11 was provided 40 minutes later.

A flaw in the elfinder extension to CKeditor in Chamilo was reported to us by Sandro "guly" Zaccarini.

This affects versions 1.10 and 1.11 of Chamilo, but you need a user account, that the social network be enabled and a special script to hack the upload method. This is why, although a PHP file upload issue would usually be marked as "High" or "Very high" risk, this has been lowered to "Moderate" risk.

We have made patches available to development versions of both 1.10 and 1.11:

A series of user input data were reported as unsanitized in 1.10.6. This was reported by Echelon team (npo-echelon.ru) and automatically detected by static code analyzer AppChecker. As far as we could check, these require course access and, as such, will not affect non-public courses. You either have to have an open-access platform or an open course inside your platform to be affected.

A rogue (not reported through official canals and include a public exploit) security issue was reported on 17/02/2016 by Lawrence Amer about being able to hijack another person's session through the handling of a crafted work in the assignments tool. This requires low-permissions access (student in a course) but could allow a student to hijack a teacher or admin's session.

Fixes for different versions of Chamilo are provided below, matching our max 72h response time policy:

A rogue (not reported through official canals and include a public procedure on how to exploit) security issue was reported on 15/02/2016 by Lawrence Amer about accessing other people's messages in the Chamilo social network, and giving the ability to delete the others' messages. Given the fact that messages are also sent by e-mail, we do not consider the deletion of other people's messages a high risk. However, accessing the messages themselves can be considered a high private information access vulnerability.

Fixes for different versions of Chamilo are provided below, matching our max 72h response time policy:

Because the change is clearly visible in the URL, we don't consider this vulnerability to represent a high risk to the user, but we still consider this a valid vulnerability, which is why we have provided the following fix, that you can freely apply to your 1.9.* installation. These changes will effectively ignore the link_url parameter and only take into account the link_id which is stored in the database, making it impossible to hack through the same channel. Very complicated circumstances prevented us from publishing the fix on this page in a timely manner, but the commits were sent several days ago already.

A series of XSS and CSRF vulnerabilities were reported on the 2/3/2015 by Rehan Ahmed. After careful consideration and a fruitful exchange, we released different patches (find them individually in the Chamilo changelog for 1.9.10.2) that cover these vulnerabilities.

In the official report, the author mentions the patch release to be 1.9.11. However, our bugfix releases policy enforces the use of the 1.9.10.2 number for this release. As of this writing, 1.9.11 does not (and will not) exist, it is a misnaming of 1.9.10.2.

This is considered a moderate risk because most of these require to be an authenticated user in order to exploit them. On privately-managed portals, this is usually not an issue, but on open campuses, it is.

Initial report: received by e-mail on 2/3/2015Proper report: #7564Fix: The fix is to upgrade to Chamilo LMS 1.9.10.2, released today. The changelog contains the individual commits required to fix the vulnerabilities manually.Affected versions: These vulnerabilities are likely to affect all previous versions of Chamilo LMS

If you are using any 1.9.x version of Chamilo, 1.9.10.2 is a minor version, so upgrading is only a matter of overwriting the current Chamilo code (removing the home/ directory in the new version package is recommended before you overwrite, in case you have a customized homepage).

If you require assistance applying those fixes, Chamilo Official Providers are trained to help you out in a professional manner.

A series of security issues have been reported on the 9/12/2014 by Kacper Szurek. Because these vulnerabilities potentially affected numerous parts of the code, we took some time to finish a complete review of Chamilo and decided to publish the fix as part of Chamilo LMS 1.9.10.

This is considered high-risk because we could not measure precisely the impact it might have had, but we urge all our users to upgrade to Chamilo LMS 1.9.10 as soon as possible to avoid any problematic incidence.

Initial report: received by e-mail on 9/12/2014Proper report: #7440Fix: The fix is to upgrade to Chamilo LMS 1.9.10, released today. A standalone patch cannot be easily provided because it is too likely to break other parts of the code.Affected versions: These vulnerabilities are likely to affect all previous versions of Chamilo LMS

If you are using any 1.9.x version of Chamilo, 1.9.10 is a minor version, so upgrading is only a matter of overwriting the current Chamilo code (removing the home/ directory in the new version package is recommended before you overwrite, in case you have a customized homepage).

If you would like to apply a patch manually (and although we don't have a complete and secure patch at the moment), you can use the 3 main changes that were applied to fix it. This might not be an exhaustive list and, as always, Chamilo or BeezNest are not responsible for what might happen to your platform (see the GNU/GPLv3 license for details):

A security issue has been reported by NeoSys on our forum, which allows a person with access to a course's users tool to pass a specially-crafted "status" parameter to get more results than expected, and potentially access (and modify) other parts of the database.

This is considered moderate-high because it is limited to users having access to it, but because it as possibly high impact.

A security issue has been published for FCKeditor very shortly after the release of Chamilo LMS 1.9.8. Considering we are including a vulnerable version of FCKeditor in our software, we cannot leave this issue unattended, and as such we are releasing Chamilo LMS 1.9.8.1, a patch version for 1.9.8, with just one file patched. See https://github.com/chamilo/chamilo-lms/commit/2b6686e620407ab8d4ceb8951de4ce978917fc93 for more details or if you want to apply the patch manually. This covers CVE-2014-4037.

Considering the relatively short period of time between the release of 1.9.8 and 1.9.8.1, we will still release 1.9.8.1 under the "commercial" name of 1.9.8, and will link all previous 1.9.8 links to the new 1.9.8.1 package. The changelog has been updated.Considering you will be updating to 1.9.8.1 anyway, you'll notice that we've added a few (around 5) minor (mostly visual) issues that we caught just after the release of 1.9.8. So you kill 2 birds with one stone.

As always, being a minor version, you can just overwrite your previous installation with the files from this new package.

Javier Bloem, independent white hat hacker from Venezuela, reported multiple possible attack vectors in description fields of Chamilo. Although these attacks require at minimum an access as a registered user to the portal, they do represent a vulnerability for those portals that are accepting open registration.

Eric Marguin, from agence-codecouleurs.fr, reported an attack related to flaw #11, confirming it at the same time, whereby a skilled attacker injected a php file through an unprotected entry point in our implementation of FCKEditor.

Stijn Michels, one of Chamilo LMS users, reportes in #6860, that he has been attacked through a likely flaw in one of FCKEditor's plugins used in Chamilo LMS, through the fact that it is not checking identification from the user before uploading a file. The attack could not be reproduced. However, we think that preventive correction is important, and we have worked together to publish a patch that can be applied to any 1.8 or 1.9 version of Chamilo.

Affected versions: 1.8.*, 1.9.*

To fix, please update your main/inc/lib/fckeditor/editor/plugins/ajaxfilemanager/inc/config.php file adding the following on line 19:

api_block_anonymous_users();

and main/inc/lib/fckeditor/editor/filemanager/connectors/php/config.php to add

High-Tech Bridge reported an SQL-injection-type security flaw in version 1.9.6 of Chamilo LMS (which also affects previous versions).This flaw only affect Chamilo LMS platforms which use non-encrypted passwords mode (a mode that is available as a non-default option only during Chamilo LMS's installation process and is difficult to change afterwards).If non-encrypted mode is selected (voluntarily) and malicious users have access to the profile edition form (which requires an active registered user account on the platform), then this issue represents a very high risk for you!We believe and hope that most of our platform administrators have chosen the default recommended encrypted mode on their platform, but it is important to us to cover all risks. This is why we will be issuing a fix very shortly.

As a very quick fix, you can just open main/auth/profile.php, go to line 366 (function check_user_password()) and transform the following line:

Fernando Muñoz kindly reported a series of moderate security flaws in Chamilo 1.8.8.4 (most likely also affecting all previous versions), of two XSS risks and one unauthorized file deletion risk. This has been registered in private task #5202.

In order to ensure maximum responsivity of our Chamilo administrators around the world, we provide 3 fix mechanisms that we give here by order of increasing level of required skills:

Petr Skoda (<security at skodak dot org>) recently reported a series of flaws in Chamilo 1.8.8.2, which have been duly reported here http://support.chamilo.org/issues/3600 and here http://support.chamilo.org/issues/3601 and fixed in prevision for a special corrective 1.8.8.4 release within a few days (probably on the 18th of June). This release will come together with a series of improvements to the code and no upgrade procedure needed.Patches are already available here:

This flaw is being reported to our Twitter security account and to our mailing-list security@lists.chamilo.orgThe fix will be included in Chamilo 1.8.8, to be released within 14 days, but we recommend applying the patch to any production system straight away.

This flaw is being reported to our Twitter security account and to our mailing-list security@lists.chamilo.orgThe fix will be included in Chamilo 1.8.8, to be released within 14 days, but we recommend applying the patch to any production system straight away.

This security issue's risk level is considered high (on a scale of critical, high, moderate and low) in the sense you require edition permissions in the course to provoke it (relatively safe) but it provokes highly painful damages: it deletes a course directory, entirely.

This bug affects versions 1.8.6.2, 1.8.7 and 1.8.7.1.

At 21:00, Belgian time (less than 12 hours later), Julio Montoya, on behalf of BeezNest, developed a patch that you can download as a file and apply to your Chamilo 1.8.7.1 portal.

For previous versions of Chamilo, you will have to look at the patch and apply the differences manually. Suggestions are provided below:

The problem can be reproduced by trying to delete an un-existing student work from a course. The delete URL can be crafted manually, but it can also be triggered by a double click on the delete icon for a student work.This means that if you have teachers accidentally double-clicking on the delete icon, they can delete the entire course directory. The only solution then is to restore the course directory quickly from your daily backup.

This bug was introduced in November of 2009, while still working on Dok€os, by a then member of the BeezNest team trying to fix a complex issue by using the permanently_remove_deleted_files parameter to decide whether to delete the files permanently or to leave them on disk. This flaw could apply to Dok€os 2.0 (cannot be checked until the code is made available). The developer doesn't work with us anymore, and we have considerably improved the review process, but this specific kind of bug implies a peer review process, and this can only come with regular investment.

Using the services of an official Chamilo provider guarantees your contributions go to Chamilo and help many other organizations and people around the world, just asyou benefit from contributions from many others. Contribute to the Chamilo project using our official providers services and encourage our healthy and socially responsible economical model!